[Bro-Dev] Bro IDS request

Dave Florek dave.a.florek at gmail.com
Fri Aug 12 12:10:17 PDT 2016


Manual searching to establish a timeline of events that I can understand
when my intel.log chirps.

On Fri, Aug 12, 2016 at 2:40 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Aug 12, 2016, at 2:14 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> >
> > May be try: ftp://ftp.ee.lbl.gov/cf-1.2.5.tar.gz
> >
> > eg: cf conn.log  | less
> >
>
> Yeah.. cf should be a few times faster than bro-cut for busy log files,
> especially if the only thing you are doing is converting the timestamp.
> It has an optimization that bro-cut doesn't have yet for avoiding
> converting timestamps if the current one is the same second as the previous
> one.
>
> If you are using both tools though and only extracting a few fields,
> piping bro-cut to cf should be faster than piping cf to bro-cut.
>
> I'm not sure why converting the timestamp is so important though.   What
> are you doing with the data once you convert the timestamps?
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160812/70738ccb/attachment.html 


More information about the bro-dev mailing list